Hi,
Currently ES4 allows to access from eval scripts the names introduced
by the let statements and expressions. It leads to implementation
complexity since the let bindings cannot be implemented as a pure
compilation-time feature and the runtime must be able to expose the
names for eval scripts.
Thus I suggest to consider making let bindings invisible to the eval
scripts. That is, the idea is to exclude any let-induced name from the
scope chain passed to the eval script. For example, given:
let a;
function f(b) {
var c;
let d;
eval(eval_source);
}
the script from eval_source when executed would not see a and d and
would be able to access/modify only b and c.
This not only simplifies implementations, but would also give a
possibility to prevent eval-injections from discovering the internal
state of a closure as long as the closure uses let for its internal
state. Although ES4 mitigates that with restrictions on the indirect
eval, for compatibility implementations may be forced to support it.
Regards, Igor
_______________________________________________
Es4-discuss mailing list
Es4-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es4-discuss
